Aug 19, 2009

URL Shorteners and Blacklists

We just had to help a MailChimp customer whose email campaigns got this strange warning by gmail:

gmail-alert-phishing

To be honest, I’ve never seen that warning, and have no idea what exactly triggered it. As you can see, the email was also sent straight to gmail’s junk folder.

On the surface, nothing about the campaign looks bad. The general content of the campaign is fine. The sender is not in a risky business (it’s a church). Their email delivery infrastructure (ahem, mailchimp) is fine. So what gives?

We ran the campaign through our inbox inspector, and got the following "spamminess" score:

inbox-inspector-results

Notice it failed Barracuda, Cloudmark, and Postini. It also triggered one rule in Spam Assassin (which, btw, is used in some way, shape, or form by just about all the other spam filters) that got 2 whole points. By now, we should all know how spam filters generally work, and that you shouldn’t use "trigger words" like "FREE!" or "BUY NOW!!!" in your content. But even when you do, those words usually only get assigned a few fractions of a point. Go to this list of spam assassin rules and CTRL+F for the word "FREE!" to see what I mean.

But when you see something getting 2 whole Spam Assassin points like this, something’s very wrong.

The rule that was triggered? The message contained a URL listed in the URIBL Blacklist. Upon closer inspection, it turns out they were using a URL shortener (you know, something like tinyurl.com). I’m not going to name names, but this URL shortener wasn’t quite as well known as most of the others I’ve heard of. No idea if it has a bad reputation, but if it’s new on the scene, chances are high that it doesn’t have enough of a reputation.

In general, URL shorteners are great tools that serve a good purpose, but spammers have abused the heck out of them to disguise their (already blacklisted) links.

In response, some spam filters make a habit out of "clicking" all URLs in an email, just to follow redirects from URL shorteners, and analyze the landing page they’d take you to. Which, btw, can lead to some unintentional unsubscribes, but that’s another topic.

If this is all new and fascinating to you, check out this article from Laura Atkins at Word To The Wise: Failed Delivery of Permission Based Email. She covers a few other seemingly innocent but oft-abused URLs that can get your messages blocked.

But it’s not just URL shorteners at risk. Any domain name with a bad reputation can get blocked. For example, there’s this article from yours truly:

Is Your Domain Name Getting You Blocked?

Finally, if you’re a MailChimp customer be sure to check out our built-in, one-click email checker: Inbox Inspector. It can help you prevent renderability and deliverability problems before you send your campaigns.